Typical application control rules

Article:HOWTO55140  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55140
Article Type
How To


Typical application control rules

You might want to create custom application control rules to prevent users from opening applications, writing to files, or sharing files.

See Creating custom application control rules

You can look at the default rule sets to help determine how to set up your rules. For example, you can edit the Block applications from running rule set to view how you might use a Launch Process Attempts condition.

See Enabling a default application control rule set

Table: Typical application control rules



Prevent users from opening an application

You can block an application when it meets either of these conditions:

  • Launch Process Attempts

    For example, to prevent users from transferring FTP files, you can add a rule that blocks a user from launching an FTP client from the command prompt.

  • Load DLL Attempts

    For example, if you add a rule that blocks Msvcrt.dll on the client computer, users cannot open Microsoft WordPad. The rule also blocks any other application that uses the DLL.

Prevent users from writing to a particular file

You may want to let users open a file but not modify the file. For example, a file may include the financial data that employees should view but not edit.

You can create a rule to give users read-only access to a file. For example, you can add a rule that lets you open a text file in Notepad but does not let you edit it.

Use the File and Folder Access Attempts condition to create this type of rule.

Block file shares on Windows computers

You can create a custom rule that applies to all applications to disable local file and print sharing on Windows computers.

Include the following conditions:

  • Registry Access Attempts

    Add all the relevant Windows security and sharing registry keys.

  • Launch Process Attempts

    Specify the server service process (svchost.exe).

  • Load DLL Attempts

    Specify the DLLs for the Security and Sharing tabs (rshx32.dll, ntshrui.dll).

  • Load DLL Attempts

    Specify the server service DLL (srvsvc.dll).

You set the action for each condition to Block access.


After you apply the policy, you must restart client computers to completely disable file sharing.

You can also use firewall rules to prevent or allow client computers to share files.

See Permitting clients to browse for files and printers in the network.

Prevent users from running peer-to-peer applications

You can use application control to prevent users from running peer-to-peer applications on their computers.

You can create a custom rule with a Launch Process Attempts condition. In the condition, you must specify all peer-to-peer applications that you want to block, such as LimeWire.exe or *.torrent. You can set the action for the condition to Block access or Terminate process.

Use an Intrusion Prevention policy to block network traffic from peer-to-peer applications. Use a Firewall policy to block the ports that send and receive peer-to-peer application traffic.

See Managing intrusion prevention on your client computers.

See Creating a firewall policy.

Block write attempts to DVD drives

Currently, Symantec Endpoint Protection Manager does not support a rule set that specifies the blocking of write attempts to DVD drives. You can select the option in the Application and Device Control policy, however, the option is not enforced. Instead, you can create an Application and Device Control policy that blocks specific applications that write to DVD drives.

You should also create a Host Integrity policy that sets the Windows registry key to block write attempts to DVD drives.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO55140

Terms of use for this information are found in Legal Notices